Month: November 2009

Earlier this week I presented the Identity Keynote at the Microsoft Professional Developers Conference (PDC) in LA. The slide deck is here, and the video is here.

After announcing the release of the Windows Identity Foundation (WIF) as an Extension to .NET, I brought forward three architect/engineers to discuss how claims had helped them solve their development problems. I chose these particular guests because I wanted the developer audience to be able to benefit from the insights they had previously shared with me about the advantages – and challenges – of adopting the claims based model. Each guest talks about the approach he took and the lessons learned.

Andrew Bybee, Principal Program Manager from Microsoft Dynamics CRM, talked about the role of identity in delivering the “the Power of Choice” – the ability for his customers to run his software wherever they want, on premises or in the cloud or in combination, and to offer access to anyone they choose.

Venky Veeraraghavan, the Program Manager in charge of identity for SharePoint, talks about what it was like to completely rethink the way identity works in Sharepoint so it takes advantage of the claims based architecture to solve problems that previously had been impossibly difficult. He explores the problems of “Multi-hop” systems and web farms, especially the “Dreaded Second Hop” – which he admits “really, really scares us…” I find his explanation riveting and think any developer of large scale systems will agree.

Dmitry Sotnikov, who is Manager of New Product Research at Quest Software, presents a remarkable Azure-based version of a product Quest has previously offered only “on premise”. The service is a backup system for Active Directory, and involved solving a whole set of hard identity problems involving devices and data as well as people.

Later in the presentation, while discussing future directions, I announce the Community Technical Preview of our new work on REST-based authorization (a profile of OAuth), and then show the prototype of the mutli-protocol identity selector Mike Jones unveiled at the recent IIW. And finally, I talk for the first time about “System.Identity”, work on user-centric next generation directory that I wanted to take to the community for feedback. I'll be blogging about this a lot and hopefully others from the blogosphere will find time to discuss it with me.

I've sometimes been of two minds about OpenID. I've always seen it as alluring because of its simplicity and openness. It seemed perfect for simple web applications.

But in my darker moments, I worried about some of the system's usability and security issues. In particular, I was concerned about how easy it would be for an “evil site” to trick users into going to a web site that looks identical to their OpenID provider, convincing them to log in, and then stealing their credentials. If this were to happen, everything that is good about OpenID would turn into something negative.

OpenID has become a key part of the Identity Metasystem

I think many of us involved with the OpenID community came to the same conclusions, but felt that if we kept trying to move adoption forward, we'd be able to figure out how to solve the problems. In the last year, OpenID has without doubt become the most widely adopted system for reusable internet identity. Adoption by destination sites continues to grow dramatically: approximately 50,000 sites as of July 1, 2009. The big Internet properties like Google, Yahoo, AOL, MySpace, and Windows Live have become (or are becoming) OpenID Providers. As a result, the vast majority of the online US population has an account that can be used to log in at the growing number of destination sites.

Maybe even more important, some of these sites are of the kind that can quickly change perception and behavior.

Most notable is Facebook, which took a huge step forward when it started accepting OpenIDs for login – blowing away the old saw that “no one wants to be a relying party”.

Now, the US Government has decided to adopt OpenID as one of the identity protocols for citizen interaction – again, as Relying Party, not Identity Provider.

Sea Change

There is a sea-change here. I strongly believe the right thing to do is get behind OpenID as part of the Identity Metasystem, help promote adoption, and work with the community to make it safer and easier to use. What is encouraging is that the community has repeatedly shown its ability to evolve as it deploys, and has been able to rapidly extend the standard from the inside. It has now become widely recognized in the industry that active client software (also called an “Identity Selector”) for OpenID could solve most of its problems, given some minor revisions or additions to the protocol. By remembering the identities you use, this kind of software can address two sets of issues:

Usability: Lets you bring your identities with you to the site, rather than the site having to guess what identities you have

Security: Protects you from being sent to a malicious site impersonating a real site that would steal your password

New prototype at IIW

Yesterday at the OpenID Summit hosted by Yahoo, Microsoft's Mike Jones and Ariel Gordon showed some of the work their team has been doing to help figure out how this kind of capability could work. What's cool is that the client they were showing is completely optional – without it, OpenID continues to work as it currently does. But with it, experience improves and the dangers are greatly reduced. I agree with them that demand for a better and safer OpenID user experience will drive selector adoption, which will in turn enable scenarios at higher levels of assurance than are possible with OpenID today.

Ariel Gordon, the main UX designer, told me, “I see it as a starting point for joint work with others in the community – definitely not a finished solution or product.”

It is consistent with the Information Card metaphor:

Your OpenIDs are shown as visual cards

You select an OpenID by clicking

The OpenID last used at the site is the default selection

New OpenIDs can be added on the fly, by picking one from a list suggested by the site, or by typing the provider’s URL.

Mike made a good point about what this means for people who use smaller OpenID providers: “The cool thing is that it remembers the OpenIDs you’ve used and where you used them […] With a web-based Nascar user interface, Arizona Sate University users will never get the same user experience that Google.com users get […]”

Good Tweets

Unfortunately I couldn't attend the meeting in person but remained wired to the tweets. Summit host Allen Tom from Yahoo said, “Showing already used OpeniIDs is a great protection against phishing: if a rogue RP tries to send the user to ‘fake yahoo.com’, a regular Yahoo user will click on his Yahoo button in the selector and won’t even see the fake yahoo link.”

He added, “The prototype selector goes in the right direction by offering a better experience when present, while not preventing users to access their favorite sites from any computer.”

Google's Eric Sachs saw value too. “…And a fake yahoo tile would say “never used here” so that’s even more information to help protect the user.”

Bringing our perceptions together from different organizations with different missions and vantage points is what can make all of this succeed. The partnering is the key.

So one of the best things about the prototype, in my view, is that it has already demonstrated collaboration between a whole set of really experienced community members:

Relying Parties: JanRain, Plaxo, Deutsche Telekom

OpenID Providers: Yahoo, Google, JanRain

Identity Selectors: Microsoft, Deutsche Telekom

Enhancing Specifications: Microsoft, Facebook, Yahoo.

Today, the same prototype was presented to the influential Internet Identity Workshop . I'll add to my growing lis of IOU's a promise to do a screen capture of how the prototype works so everyone can take a look.